{# this template is used to generate a nginx.conf for booting a nginx server based on the given environment inventory #}

worker_processes {{ nginx.wpn.router }};
worker_rlimit_nofile 4096;

events {
{# default: 1024 #}
    worker_connections 4096;
}

http {
{# allow large uploads, need to thread proper limit into here #}
    client_max_body_size 50M;

    rewrite_log on;
{# change log format to display the upstream information #}
    log_format combined-upstream '$remote_addr - $remote_user [$time_local] '
        '$request $status $body_bytes_sent '
        '$http_referer $http_user_agent $upstream_addr';
    access_log /logs/nginx_access.log combined-upstream;

    proxy_http_version 1.1;
    proxy_set_header Connection "";

    upstream controllers {
        # fail_timeout: period of time the server will be considered unavailable
        # Mark the controller as unavailable for at least 60 seconds, to not get any requests during restart.
        # Otherwise, nginx would dispatch requests when the container is up, but the backend in the container not.
        # From the docs:
        # "normally, requests with a non-idempotent method (POST, LOCK, PATCH) are not passed to the next server if a request has been sent to an upstream server"
        server {{ hostvars[groups['controllers'] | first].ansible_host }}:{{ controller.basePort }} fail_timeout=60s;
{% for ip in groups['controllers'] %}
{% if groups['controllers'].index(ip) > 0 %}
        server {{ hostvars[ip].ansible_host }}:{{ controller.basePort + groups['controllers'].index(ip) }} {% if controller.ha %}fail_timeout=60s{% else %}backup{% endif %};
{% endif %}
{% endfor %}
        keepalive 512;
    }

    server {
        listen 443 default ssl;

        # match namespace, note while OpenWhisk allows a richer character set for a
        # namespace, not all those characters are permitted in the (sub)domain name;
        # if namespace does not match, no vanity URL rewriting takes place.
        server_name ~^(?<namespace>[0-9a-zA-Z-]+)\.{{ whisk_api_localhost_name | default(whisk_api_host_name) | default(whisk_api_localhost_name_default) }}$;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_certificate      /etc/nginx/{{ nginx.ssl.cert }};
        ssl_certificate_key  /etc/nginx/{{ nginx.ssl.key }};
        {% if nginx.ssl.password_enabled %}
        ssl_password_file   "/etc/nginx/{{ nginx.ssl.password_file }}";
        {% endif %}
        ssl_client_certificate /etc/nginx/{{ nginx.ssl.client_ca_cert }};
        ssl_verify_client {{ nginx.ssl.verify_client }};
        ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        proxy_ssl_verify off;
        proxy_ssl_session_reuse on;

        # proxy to the web action path
        location / {
            if ($namespace) {
              rewrite    /(.*) /api/v1/web/${namespace}/$1 break;
            }
            proxy_pass http://controllers;
            proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
        }

        # proxy to 'public/html' web action by convention
        location = / {
            if ($namespace) {
              rewrite    ^ /api/v1/web/${namespace}/public/index.html break;
            }
            proxy_pass http://controllers;
            proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
        }

        location /blackbox.tar.gz {
            return 301 https://github.com/apache/incubator-openwhisk-runtime-docker/releases/download/sdk%400.1.0/blackbox-0.1.0.tar.gz;
        }
        # leaving this for a while for clients out there to update to the new endpoint
        location /blackbox-0.1.0.tar.gz {
            return 301 /blackbox.tar.gz;
        }

        location /OpenWhiskIOSStarterApp.zip {
            return 301 https://github.com/apache/incubator-openwhisk-client-swift/releases/download/0.2.3/starterapp-0.2.3.zip;
        }

        location /cli/go/download {
            autoindex on;
            root /etc/nginx;
        }
    }
}
